This is the second part in a multipart series exploring technology risks facing in-house counsel and their clients. The first article in this series dealt with steps that in-house counsel can take to keep their data safe while they are on the road. This installment deals with deploying tablet computers in both the legal department of companies and in the enterprise in general. It also suggests some steps that might help to make these tablet computers more secure.
As tablet computers such as the Apple iPad, the Samsung Galaxy Tab, and the RIM Playbook start to displace laptop computers as the mobile computing platform of choice for both lawyers and other company employees, in-house counsel must be attuned to the risks associated with using these types of devices and be in a position to counsel their clients on these potential risks and ways to mitigate them.
Tablet computers are becoming a particularly hot topic as companies move to migrate mission critical applications to these platforms. The use of applications such as customer relations management applications, mobile payment and processing applications and other cloud-based applications all enhance the chances of data loss.
While often not thought of in the same vain as the laptop, tablet computers offer much of the same (and increasingly more) functionality as laptops. However, due to the newness of these platforms, the current lack of security in the underlying operating systems, and their enhanced uses, these platforms create additional risks for users and for companies.
However, unlike most laptops and desktop computers, company IT departments are not yet universally installing any type of encryption or any other network security devices or software on tablet computers. Unfortunately, this presents an opportunity for hackers to access the data on these devices. This can also be said for smartphones, which have much of the same functionality and vulnerabilities as tablet computers.
The Main Concerns When Using Tablet Computers
The leading concerns from a security standpoint with respect to tablet computers at the current time can be summarized as follows:
- Most tablet devices do not contain any type of security or virus detection software.
- Most users use tablets for personal use as well as business use. This dual use may expose corporate intellectual property assets to misuse or inadvertent disclosure due to the end user's use of social media or other personal applications on the tablet.
- The very applications that make tablet computers such a valuable business and personal tool also may allow access to the information contained on those devices through the installation of malicious applications.
- Most tablet devices are able to connect to internet via Wi-Fi. When connecting through the use of free, public Wi-Fi connections, data being transmitted as well as data contained on the devices may be at risk. This is especially true when using unsecured networks, which are becoming more ubiquitous throughout the country, if not the world.
- Many devices do not have any remote disabling or wiping software or other technologies installed upon them. In the event of a loss of the device, not only is the data contained on the device potentially at risk, but the loss can also potentially allowed unfettered access to the corporate networks.
Some Thoughts on Securing Tablets
As discussed in the first column of this series, one of the first things that all users should be required to do is to install a password on their tablet devices. At a minimum, this will deter the casual thief from accessing the data on the device as well as potentially accessing the corporate network. I should note that this is a very basic measure as there are devices in the marketplace that can directly access data on mobile devices even if a password is in place.
Secondly, all devices should have anti-virus as well as remote disabling or wiping technologies installed upon them. In the event that the device is lost, the data on the device can be remotely wiped thereby limiting inadvertent disclosure of sensitive information. Additionally, this remote wiping will prevent access to the corporate networks.
Thirdly, corporate enterprises should consider either directly providing these types of devices to appropriate end users so that the use of the device can be limited to corporate use only. As such, applications that access social media-type functions can be limited on these devices.
There are rumors that some forthcoming versions of certain tablet operating systems will be able to essentially partition the devices into a consumer side and a business side. This is particularly interesting because it will allow the enterprise to remotely wipe the corporate side of the device if it is lost while not touching the personal side. It also would presumably create a partition between an employee's social media or other personal uses and the employee's corporate uses, which would afford better protection for corporate IP in the event a consumer application was breached. Again, the goal is to enable the enterprise to provide a higher level of security for the devices.
Another suggestion is to make certain that employees are only downloading applications from approved application stores or market places. Google recently admitted that it had removed more than 50 malicious applications from its Android market in March of this year and remotely deleted these applications from over 250,000 smartphones that had already downloaded the applications. These applications were either found to be accessing private data inappropriately or providing data on users in violation of Google's privacy policies. Additionally, companies need to make certain that users do not jail-break their devices and that the devices have the latest version of the appropriate operating system installed.
Further, legal departments need to confirm that the company's policies and procedures with respect to information technology are appropriately updated to take into consideration the use of tablets and other mobile devices by employees.
Lastly, enterprises that are using tablets to develop applications for either corporate use or for their customer's use need to make certain that robust security is incorporated into those applications at the development stage so that not only is the enterprises' data protected but also customers that use those applications have their data protected also.
While tablet computers present unique security risks, many of these risks can be mitigated through appropriate policies and procedures. Additionally, enterprises need to make certain that their employees are well educated on the ever evolving security risks associated with these and other mobile devices.
Like all new technology, some enterprises are reluctant to allow the adoption of these technologies. However, ultimately the ease of use of these devices as well as their ability to provide increased functionality and competiveness for enterprises will win the day, allowing for their ubiquitous adoption. Security will, however, always need to be a part of the technology adoption equation.
Read Roy Hadley's previous column.